A web-log on Q3J5cHRvZ3JhcGh5, alert(document.cookie), and screensaver.exe

Menu

I think that I shall never see
A graph more lovely than a tree.
A tree whose crucial property
Is loop-free connectivity.
A tree which must be sure to span.
So packets can reach every LAN.
First the Root must be selected
By ID it is elected.
Least cost paths from Root are traced
In the tree these paths are placed.
A mesh is made by folks like me
Then bridges find a spanning tree.

The Spanning Tree Protocol was developed by Dr. Radia Perlman, who gave the idea in her poem “Algorhyme” which is based on “Trees” by Joyce Kilmer.

Penetration testing is the evaluation of any computer system, whether it be a single device or a group of interconnected nodes, against any potential attacks from inside or outside, breaking the security.

As we were promised by the authorities, for the HPC workshop we were to be given the supercomputer access, though we didn’t get the real access, but were given the CLI through the CDAC Gateway. The 16 core machine, was capable enough to handle several of the unbreakable loops created by students’ MPI and OpenMP programs. The past whole week was dedicated for the High Performance Computing topics, and we learnt mainly the Clusters, Process communications for large number of Processors and the libraries for their development.

The module started with the introduction to High Performance computing and Clusters, and went through covering topics like OpenMP, MPI, parallel and serial processing comparisons, various algorithms for optimizing performance in parallel systems and General Purpose Graphical Processing Unit. The tests and assessment went well with the OpenMP and MPI programming.

And by the way, I moved to Gandhinagar last week. Enjoying independent life. Need to handle everything on my own, but I have started to like it. Getting more free time to work and read.

Next module for Network Defense and Countermeasures is starting next Monday, and the pre-assignments are yet to be completed. The only thing left to do is perform some NMap packet captures, which I cannot perform with the wireless internet. Need to visit the college lab for the Ethernet captures. Getting back to work, clusters and networks, adios!

Imagine a scenario, where you are the System Admin of an organization, using Windows domain. There is a guy in the organization who has fought with his manager, and is now resigining from his post. This disgruntled employee, may have the idea of encrypting all the company’s data from his own user account before leaving. If he encrypts all the data, we do not have the key to decrypt, and that’s a big loss.

How to overcome this? Answer is data recovery agent.

The public and private keys come in picture – while creating a data recovery agent, you are providing the public key to employees, while the private key is available only to the admin. Hence whenever a guy encrypts any data on his machine on Windows domain, he’ll need the public key to encrypt, but he cant decrypt someone else’s data as the private key is not available with him. This provides Data Integrity and Confidentiality.

Steps:

You’ll need a Windows server 2008 as a server machine, and a client such as XP or Windows 7.

On the server machine, start the command prompt.

First step is to create a set of public and private keys.

Create a directory named ‘certi’ for storing the keys and then go to that directory with the following commands

> mkdir certi

> cd certi

Now, to create a pair of keys, the command is as below:

> cipher /R:certi_file

This command will ask you to provide a password for the keys. Two files will be created. File with extension “.cer” is the public key (which we need to provide to the client) and “.pfx” is the private key (to be kept secret).

Now, in the same server machine, run the command ‘certmgr.msc’

This will open a windows where you can edit the available certificates. Import our private key by-

What do we use password-less SSH for? A secure encrypted channel between two machines. Now when we want to have a permanent secure channel between these two machines, without entering password everytime we need to access, best way is to make them password-less.

How does this work? The concept of Public-private keys. We generate the RSA key pair for our SSH, and provide our public key to the next machine. Its that easy. The next machine need to add our public keys to their file called authorized keys. Done.

Steps are here –

Generate the ssh keys first for starting the ssh service on both sides. And then start the ssh service.

# sshd-generate

# /etc/init.d/ssh start

You can check the ssh service running on port 22 by the netstat command.

Next is to generate our RSA keypair. The command is,

# ssh-keygen

We have our public and private keys with us. Now let’s send the public key to the remote machine, using Secure Copy. The keys in our machine are stored at /root/.ssh/

The authorized key set for the next machine is stored at /root/.ssh/authorized_keys

After the above command, you’ll be asked to enter the password. But that will be the last time someone asks for the ssh password. For secure shell from the next machine to yours, follow the same process from the next machine. That’s all folks!

Its a version of Denial of Service attack – floods the victim with spoofed broadcast pings. A large number of pings are sent to the IP broadcast address of the victim, it responds back with broadcast to all the hosts – and these hosts simultaneously reply – causing a major lock in the network.

Ping of Death

A funny ping – ICMP packet is sent to the victim – which floods its buffer, causing the system to reboot or the network getting hanged.

DoS

The Denial of Service attack does exactly as the name suggests – prevents the users from the service. Can be generally implemented with ICMP spoofing.

SYN Flood

The SYN packets are used for connection establishment – and these SYN packets are used here to take down a computer by sending a number of useless SYN packets, and the computer becomes too busy responding to the SYNs.

Virus

Tiny programs creating a variety of bad things to computers – and they can replicate itself!

File virus – contained in executables like .exe, .dll, and .com.

Macro virus – A script to automatically carrying out a task – without the user initiating it.

Boot sector virus – They damage the booting process of a computer by over-writing the boot sector, creating problems like hard disk error or missing OS.

Worms

They are a lot like virus, and also they can actively replicate – without the user opening or executing them. They can propagate and destroy themselves.

Now you need to make changes for including the SSL connection. First go to the directory sites-available

# cd sites-available

Modify the file “default-ssl” by replacing the contents of SSLCertificateKey and SSLCertificateFile as shown below:

Modify the file “default” by copying the the Virtual host from above and making the changes as in it as shown:

In the folder /etc/apache2/ you need to make changes to the ‘httpd.conf’ file by adding these two lines to the blank file:

Now provide the command to start the ssl service

# a2enmod ssl

Restart the apache service and you will get the service started as shown below:

Congratulations! Your SSL Apache server has started.

Now try to browse your Apache from a remote machine, by typing “http://ip of your server” in its browser.

To check the SSL connection, try ‘https’ instead of ‘http’ before the ip address

At first time, you will get a message that it is an untrusted connection (because it is using a certificate which we have just created, and your will not be having that certificate) Add and exception for the certificate.

After you add an exception for the certificate, finally you will get the SSL connection to the Apache server. The SSL connection will work until you have the respective certificate added to your browser.

Yes, moved to Gandhinagar-Ahmedabad last week. Got admitted for the M.Tech. course at Gujarat Technological University, for specialization in IT Systems and Network Security. Instead of the conventional Computer Engineering Masters, I chose the special course for my passion, computer networks and security. Even the subjects are interesting, like Distributed and Cloud Computing, Grid Computing and Network Defense and Countermeasures. I am very excited to study these subjects.

Last week passed with basics of Operating Systems and Object Oriented Designing. The institute uses OpenSuse 12.0 as their primary OS for the Labs. Object Oriented lectures were a revision of the fundamental concepts, as I am familiar with them because of the subjects like Object Oriented Concepts and Advanced Java Technology during my Bachelors. All the faculties are from CDAC-ACTS centers, veteran and expert in their fields. I am liking the environment and work culture at this college which needs full dedication, though it is somewhat strict.

Next Monday I am shifting to Sector 5A, Gandhinagar. The way to college needs a bus ride plus some walking. The walkway to my college is so lush green that it tempts you to take a walk even if you don’t like walking. And here’s a picture of it:

Also, started using Tata Photon 3G wireless to stay connected all the time. Will update more frequently now, about my college life, security projects, and our access to Param Yuva (yeah, surprise!) through ParamNet.

You are in a hurry, and want to refer the common port numbers — you can’t go through the whole list of port numbers to find the useful ports. Here I’ve given some frequently used port numbers for a quick reference:

Last night I was attending a webinar on Windows Server 2012, conducted by the trainer Ed Liberman, and it happened to be very informative. The the presentation was mostly through screenshots and virtualized, the information gain was high.

The webinar started with the primary installation of the server OS on a virtual machine. This is just the normal installation, same as any other Windows OS (and if you’ve worked with Windows 8 client side, this installation is no big deal). And the main advantage starts from here – it was the case in older Server operating systems that either we can install the core server or the graphical interface, but it was not possible to change to the next interface by just removing on interface. But Microsoft has now made it possible to remove the GUI after you configure the server, and then you can work smoothly with the core installation. It is not easy to configure the core server with all those commands on the prompt, and hence this change by Microsoft is going to get some applause.

The UI is the Metro look by Microsoft, and there are some changes in the Server Manager Windows. The window shows any errors in any of the features of the server, and this becomes a problem while having a clean installation. When you perform a custom install of the operation system on a new machines, be ready to have some error messages from the server manager window. But that’s all good as now we can monitor and manage them from the same window.

The UI seems tricky to some people, and they are not happy with the Metro look, demanding Microsoft to give an option for changing back to normal look. But that option is not going to be available in the near future, as Microsoft has implemented the Metro look to all its new technologies, and it won’t be happy to have any modifications to them now. Yes, there will be unofficial tweaks for getting the normal look, but you’ll have to wait for it. While for me, I am good with the Metro look, as they’ve continued with the search-box and shortcuts. The interface is decent, its just that you need time to have some familiarity with it.

As the time was a constraint, the webinar was not able to cover the advanced features, but I am learning them from my course at the Microsoft Virtual Academy. At the MVA, I am able to discover more deeply through their official videos and white papers, and the self assessments are fun. Hope to get among the top ten students by completing some more tracks in my free time.Keep checking for more updates on Windows Server 2012 as I’m soon going to implement it on my machine and have some hands-on with the system.

SMDS, or Switched Multimegabit Data Service, has not yet gained significant market penetration, although it has begun to experience some growth. SMDS was viewed as a stepping stone to ATM, since some of the communications equipment and media are common to the two technologies. As SMDS is not available everywhere, and there is more interest in ATM, SMDS has had a hard time getting into the mainstream.
SMDS does, however, have some penetration; if your long-distance carrier is MCI, you may have cause to use this technology. The attraction of SMDS is that it has the potential to provide highspeed, link-level connections (initially in the 1 to 34 Mbps range) with the economy of a shared public network, and exhibits many of the qualities of a LAN.
In an SMDS network, each node has a unique 10-digit address. Each digit is in binary-coded decimal, with 4 bits used to represent values 0 through 9. Bellcore, the “keeper” of the SMDS standard, assigns a 64-bit address for SMDS, which has the following allocation:
• The most significant 4 bits are either 1100 to indicate an individual address, or 1110 to indicate a group address.
• The next 4 most significant bits are used for the country code, which is 0001 for the United States.
• The next 40 bits are the binary-coded decimal bits representing the 10-decimal digit station address.
• The final 16 bits are currently padded with ones. To address a node on the SMDS network, all you need do is put the node’s SMDS address in the destination field of the SMDS frame. In this way, SMDS behaves in a fashion similar to Ethernet or
Token-Ring, which delivers frames according to MAC addresses. A key difference between SMDS and these LAN technologies, however, is the maximum frame size allowed. Ethernet allows justover 1500 bytes, and Token-Ring just over 4000 bytes, but SMDS allows up to 9188 bytes. These SMDS frames are segmented into ATM-sized 53-byte cells for transfer across the network. A large frame size gives SMDS the ability to encapsulate complete LAN frames, such as Ethernet, Token-
Ring, and FDDI, for transportation over the SMDS network.

Hello you! Since 3 months I was preparing for the Network+ and CCNA certifications. I had planned to appear for the N+ after my final exams and CCNA after gaining some industrial experience with computer networks.

Then I had a thought of appearing for the N+ during my reading vacations before the final exams – so as I can give my full time for job hunting after the university exams. And on 27th I went to the Pearson VUE Exam Centre, Baroda for my first networking certification exams. I was fully prepared for the exams – intense work for 1 week – from CBT Nuggets, Network+ Study Guide by Todd Lammle and my practical experience in the industry during my college projects. And my hard work showed the results – passed the exams with 790 marks! I am very glad to have such a glorious result in my first ever networking certification. Now eagerly waiting for the certification kit with hard copy of the certificate having my name printed on it!

As part of my college project work, I am developing a secure network at a medium sized office. Last week I completed the configuring of the wi-fi router with the normal protocols as well as some security features. Prior to developing the physical network, I tested the network with all its preferences in two different network simulators for its successful working (mainly for the IP address assigning). Let me describe you the techniques which I used in the router configuration –

Network Address Translation – Yes, the protocol which changes the Class C private address of the company’s computers to some Class A public addresses provided by the service provider. For the company I have configured the addresses as 192.x.x.x and the outside addresses will be 117.x.x.x (IP not displayed because of security reasons, you know!)

Firewall – Configured the firewall inside the router (as there was no Demilitarized Zone for the company). The firewall works with the Access Control Lists, filtering the packets of data with insecure protocols. Oh yes, it is a stateless firewall.

Site Blocking – This is the easiest security mechanism – to block the http sites with the words or tags used in the site content. Also, the sites are blocked with their categories – music streaming, proxy, adult and gaming.

DHCP – Oh yes, its not that tough to configure a DHCP on a Cisco router – but it is, when the router also works as a gateway – connecting the IP addresses of class A and class C.

This is what I configured in the router during this time. The access points that are used for the wireless networks are Cisco WRT54GL APs. The whole network for the authorities is working efficiently, and the next steps are to configure the catalyst switch and install the routers.

Along with the project work, I am preparing for networking certifications – CompTIA Network+ and CCNA. Planning to appear for Network+ during May, after completing my Engineering exams.

After the wi-fi development, I was busy with the crimping and cabling at the project site. Along with the cabling, the installation and configuration of client machines was going on. Then I developed the servers for the desired functions. And at last I connected the different VLANs with each other through manageable switches.

I configured this local network with the following features–

DHCP: For automatic IP address assigning, according to the group of users, plus some reserved IP addresses for the dedicated devices.

Active Directory: For user rights management and delegation, and to handle the working of the whole forest.

DNS and Print Servers: For the domain controlling and print purposes – according to the user group priority.

VLANs: Consisting of 3 different Virtual LANs of the different divisions of the company, along with Virtual LAN Trunking Protocol.

Testing is planned to be completed within three days, of the whole network (including wi-fi, VLAN and Windows Server-clients). The compiling of project report will be the task to be completed before March ending. The project submission is in the first week of April, followed by the final university exams.

Hello all. I have started working on my second phase of the college project – to develop a secure network at a medium business office. As part of the project, I was asked to solve the network problems, plus develop a solution network in the industry. So I will be working part-time for developing the network with advanced features.

The network which I have to develop has large number of computers, connected as clients to the server, security mechanisms consisting of Firewall, Access Control Lists, IP Sec and site blocking. A VLAN will be configured between three divisions of the company. The authorities need the wi-fi networking in their area, while the staff will be provided the ethernet local area network. The server will be a Windows machine, configured with DHCP, Active Directory, IIS, FTP Server and Group Policy Management. I will keep you updated regarding my progress in developing the network. Adios, for now.

What is HDLC?

HDLC stands for High-Level Data Link Control protocol. Like the two other WAN protocols mentioned in this article, HDLC is a Layer 2 protocol. HDLC is a simple protocol used to connect point to point serial devices. For example, you have point to point leased line connecting two locations, in two different cities. HDLC would be the protocol with the least amount of configuration required to connect these two locations. HDLC would be running over the WAN, between the two locations. Each router would be de-encapsulating HDLC and turning dropping it off on the LAN.

HDLC performs error correction, just like Ethernet. Cisco’s version of HDLC is actually proprietary because they added a protocol type field. Thus, Cisco HDLC can only work with other Cisco devices.

HDLC is actually the default protocol on all Cisco serial interfaces. If you do a show running-config on a Cisco router, your serial interfaces (by default) won’t have any encapsulation. This is because they are configured to the default of HDLC.

What is PPP?

You may have heard of the Point to Point Protocol (PPP) because it is used for most every dial up connection to the Internet. PPP is based on HDLC and is very similar. Both work well to connect point to point leased lines.

The differences between PPP and HDLC are:

PPP is not proprietary when used on a Cisco router

PPP has several sub-protocols that make it function.

PPP is feature-rich with dial up networking features

Because PPP has so many dial-up networking features, it has become the most popular dial up networking protocol in use today. Here are some of the dial-up networking features it offers:

Link quality management monitors the quality of the dial-up link and how many errors have been taken. It can bring the link down if the link is receiving too many errors.

Multilink can bring up multiple PPP dialup links and bond them together to function as one.

Authentication is supported with PAP and CHAP. These protocols take your username and password to ensure that you are allowed access to the network you are dialing in to.

What is Frame-Relay?

Frame Relay is a Layer 2 protocol and commonly known as a service from carriers. For example, people will say “I ordered a frame-relay circuit”. Frame relay creates a private network through a carrier’s network. This is done with permanent virtual circuits (PVC). A PVC is a connection from one site, to another site, through the carrier’s network. This is really just a configuration entry that a carrier makes on their frame relay switches.

Obtaining a frame-relay circuit is done by ordering a T1 or fractional T1 from the carrier. On top of that, you order a frame-relay port, matching the size of the circuit you ordered. Finally, you order a PVC that connects your frame relay port to another of your ports inside the network.

The benefits to frame-relay are:

Ability to have a single circuit that connects to the “frame relay cloud” and gain access to all other sites (as long as you have PVCs). As the number of locations grow, you would save more and more money because you don’t need as many circuits as you would if you were trying to fully-mesh your network with point to point leased lines.

Improved disaster recovery because all you have to do is to order a single circuit to the cloud and PVC’s to gain access to all remote sites.

By using the PVCs, you can design your WAN however you want. Meaning, you define what sites have direct connections to other sites and you only pay the small monthly PVC fee for each connection.

Do you know about the Android App Inventor service by Google? (Yes, it was developed by Google, but they took back the support last month, and is now in the hands of Massachusetts Institute of Technology.) It allows anyone, including people unfamiliar with computer programming, to create software applications for the Android operating system (OS). It uses a graphical interface, very similar to Scratch and the StarLogo TNG user interface, that allows users to drag-and-drop visual objects to create an application that can run on the Android system, which runs on many mobile devices.

When Google terminated their support to the service, MIT offered their services to support the application development. MIT had asked individuals to host the service on their machines by providing scripts for the compiling of the apps. I was among the volunteers to host the service and provide my space for the compiling, developing and storing their apps.

I developed a Linux RHEL 5 server, configured the services for application development – File Transfer Protocol, Domain Name System, HTTP Transfer and Port Mapping; and also connected the machine with Google AppEngine to run the scripts on my machine while developing the apps and testing through the emulator. Last week I hosted the service for a selected group on trail basis, and the service is working fine. So now I am announcing it open for you all to test my service – develop Android apps the easiest way – store/download your apps – build the apk for your app – or just play with your apps on the emulator. Feel free to develop-test the apps your way – and to report problems, if any, through email.

Whoa! It was fun to be working the whole week with cables and servers and switches.. Completed the developing of network at the school and this ends my phase I of the college project.

As I had mentioned in the previous post, I was working at a school to develop a full fledged network with all advanced features. Let me describe the details of the network –

While playing with the unmanageable switches, all the clients were configured to join the domain controller server. (It was a tough task to successfully tame the clients to join the domain, most of them had problems with either administrative privileges, ping or network connections.)

Last week I was working on my college project – allotted by the Technological University. The project is to identify the frequent computer hardware and networking problems occurring in the industry and to solve them in the next phase of the project.

In the current part of my project, I worked at a computer maintenance centre (HSPL) to identify and discuss the problems which were happening with the computers at their service centre. I also accompanied the technicians to different sites where they had to solve the networking problems – some schools, inventories and small-medium business offices. I was successful in identifying and solving the problems, which completes the initial part of my project’s phase I. This was my first step in the computer networking industry, and it was fun to learn the industry practices and the maintenance of large computer networks. I hope to learn more and more with this project work, while enhancing my knowledge and skills.

Next week I am assigned the task to develop a medium sized network at St. Xaiver’s School, where I have to configure the clients along with 3 different Windows servers to provide the services of Active Directory, Domain Controller, Print Server and DNS server into the Server machines. The crimping and cabling needs to be done through the Cat 5e cables, joining the RJ45 ports. Yes, crimping and cabling is tough, and so is the perfect client configuration; but I love networking, and I will complete all the configurations within 1 week. This will be my first networking experience in the industry, wishing all the best to me!